Method, a network access system, a network access client device, a network access trading device, and a computer software product for establishing a network connection

ABSTRACT

The invention relates to a method for controlling establishing a network connection between a client and a network comprising the phases of authenticating, authorizing, and accounting, comprising a further interim negotiation phase of negotiating a connection or business mode of authorization and accounting. The invention further relates to a network access system, network access client device, network access trading device, and a computer software product.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to a method for establishing anetwork connection between a client and a network. Furthermore, thepresent invention relates to a network access system, a network accessclient device, a network access trading device, and a computer softwareproduct.

[0002] The invention is based on a priority application, EP 03290970.7,which is hereby incorporated by reference.

[0003] Authentication, authorization, and accounting (AAA) represent the“big three” in terms of network management and policy administration.Such a method for use network resource access, in general, is describedin the PCT Application WO 02/091648.

[0004] Authentication is to identify a client that requires access tosome system and logically precedes authorization. The mechanism forauthentication is typically undertaken through the exchange of logicalkeys or certificates between a client and a server. Authorizationfollows authentication and entails the process of determining whetherthe client is allowed to perform or request certain tasks or operations.Accounting is the process of measuring resource consumption, allowingmonitoring and reporting of events and usage for various purposesincluding billing, analysis, and ongoing policy management.

[0005] AAA servers provide the means of administering policy to ensureproper use and management of resources. Historically, the remoteAuthentication Dial In User Service (RADIUS) protocol has been used toprovide AAA services for dial-up point-to-point protocol and terminalserver access. The next generation Authentication, Authorization andusage Accounting for dial-in access is Diameter; such as support virtualprivate network, smart authentication, and roaming concerns. The basicconcept behind Diameter is to provide a protocol that can be extended inorder to provide AAA services to new access technologies.

[0006] The Diameter protocol allows peers to exchange a variety ofmessages. The base protocol provides, e.g. the delivery of attributevalue pairs, negotiation capabilities, in the sense of addressnegotiation, and error notification, as well as extensibility. Basicservices necessary for applications, such as handling of user sessionsor accounting are realized. Diameter has the following features:

[0007] Transporting of user authentication information, for the purposesof enabling the Diameter server to authenticate the user.

[0008] Transporting of service specific authorization information,between client and servers, allowing the peers to decide whether a usersaccess request should be granted.

[0009] Exchanging resource usage information, which may be used foraccounting purposes, capacity planning, etc.

[0010] Relaying, proxying and redirecting of messages through a serverhierarchy. Any node can initiate a request.

[0011] A Diameter client is a device at the edge of the network thatperforms access control for a network access client (device). A typicalDiameter client is a network access server device (NAS) or a foreignagent (FA). A Diameter client generates Diameter messages to requestauthentication, authorization, and accounting services for a user of anetwork access client device. An agent is a node that does notauthenticate or authorize messages locally. Examples of agents areproxies and relay agents.

[0012] Accounting is the act of collecting information on resource usagefor the purpose of capacity planning, auditing, billing or costallocation. Accounting servers creating the session record may do so byprocessing interim accounting events or accounting events from severaldevices serving the same user. Authentication is the act of verifyingthe identity of an entity (subject). Authorization is the act ofdetermining whether a requesting entity (subject) will be allowed accessto a resource (object). An agent is a node that provides either relay,proxy, redirect or translation services.

[0013] A network access server device is a node at the edge of thenetwork that performs access control. It is assumed that it handlesauthentication, authorization, and accounting requests using e.g. an AAAserver such as Diameter etc. for a particular realm.

[0014] A home realm is the administrative domain with which the usermaintains an account relationship. A local realm is the administrativedomain providing services to a user. A relay agent or relay forwardsrequests and responses.

[0015] A session is a related progression of events devoted to aparticular activity. Each application should provide guidelines as towhen a session begins and ends. A sub-session represents a distinctservice, e.g. quality of service or data characteristics, provided to agiven session.

[0016] Known is e.g. a network access mechanism that allow to imposebusiness rules on authentication and authorization requests. Theauthorization request con then be granted or denied, based on knownvariables like username and password, quota, connection time, concurrentconnections, etc. These solutions allow to give a well funded (butsimple) accept/reject answer to a connection-request, possibly includinginformation on the nature, e.g. for example quality of service, of theallowed connection.

[0017] Todays' access networking provide only means like virtual privatenetworks, connection aggregation, connectivity to multiple networks, andstatic business rules on connectivity, i.e. a fixed authorization andaccounting. The problem is to support dynamic AAA scenarios.

SUMMARY OF THE INVENTION

[0018] This problem is solved by a method for controlling establishing anetwork connection between a client and a network comprising the phasesof authenticating, authorizing, and accounting, comprising a furtherinterim negotiation phase of negotiating a connection or business modeof authorization and accounting. The method might comprise further anadditional initialization phase synchronizing the underlying businessmodel, and might provide a user interface means for involving a user inthe further interim negotiation phase. The negotiating might comprise aconnection policy-framework compliant solution.

[0019] The problem is further solved by a network access systemcomprising a network access client device connected to at least onenetwork via a network access trader device, said network access clientdevice comprising a connection controller for controlling the access tosaid at least one network, further comprising a business logic inferencemachine and memory for business logic specifying business rules andconnection behavior, said connection controller using the business logicfor negotiating a connection or business mode with a network accesstrading device of said at least one network, and said network accesstrading device comprising a second connection controller for controllingthe access to said at least one network from said at least one networkaccess client device, and a second business logic inference machine andmemory for business logic specifying business rules and connectionbehavior, said connection controller using the business logic fornegotiating a connection or business mode with said at least one networkaccess client device and for authorization and accounting saidconnection.

[0020] And the problem is solved by a network access client deviceconnected to at least one network comprising a connection controller forcontrolling the access to said at least one network, further comprisinga business logic inference machine and memory for business logicspecifying business rules and connection behavior, said connectioncontroller using the business logic for negotiating a connection orbusiness mode with a network access trading device of said at least onenetwork.

[0021] In advance the problem is solved by a network access tradingdevice connected to at least one network and at least one network accessclient device, the network access trading device comprising a connectioncontroller for controlling the access to said at least one network fromsaid at least one network access client device, further comprising abusiness logic inference machine and memory for business logicspecifying business rules and connection behavior, said connectioncontroller using the business logic for negotiating a connection orbusiness mode with said at least one network access client device andfor authorization and accounting said connection.

[0022] And the problem is solved by a corresponding computer softwareproduct comprising programming means for performing the method above.

[0023] In other words that is to go beyond simple accept/rejectauthentication-authorization-and-accounting scenarios, where thedecision is based on information that is available or generated at theserver side. The solution is that connection request are granularlyfiner accepted or rejected based on information available at the clientside and at the server side and integrated in a business model.

[0024] The present invention introduces a mechanism for a business logicthat is on top of the AAA functionality offering more advanced andnuanced access scenarios. An intermediate phase in authorization andconnection setup, between request and acceptance is added. In thisintermediate phase, the client application or the end-user are queriedfor more information or decisions on certain aspects of the connection.

[0025] A preferable implementation of the invention involves anarchitecture with a user's client device or a mediating client deviceand a network access server system. There might be a communicationchannel between an access controller in the access provider domain andthe client device (connectivity through an (always-on) control channel).This life-line control channel is used to allow flexible business logicto be enforced when a user requests to be connected to a network. Theclient contains a connection controller that receives/interceptsconnection requests, sends them to business logic (either on theterminal or on the server) and forwards the request to a connectioncontroller. A server contains the business logic or a business logiccontroller that updates the business logic on the client (in case it islocated on the client).

[0026] Accordingly, it is an object and advantage of the presentinvention to provide interactive integrative accept/reject/modify accessscenarios with for instance a possibility to ask for additionalinformation, e.g. from user or an application about access networkcharacteristics, and possibility for users to decide on aspects of theconnection possibility to have a negotiation between access client andaccess server.

[0027] Another advantage of the present invention is the de-coupling ofauthentication and business rules, allowing flexible business rules atclient-side and server-side business logic, even when located at theclient-side.

[0028] A further advantage of the present invention is to deploy clientsoftware without hard coded business logic. This will increase revenueby reducing the cost for deploying new or changing existing businesslogic.

[0029] Yet another advantage of the present invention allows to applyand negotiate business rules before connecting to the network andextensive and configurable set of rules for business logic.

[0030] These and many other objects and advantages of the presentinvention will become apparent to those of ordinary skill in the artfrom a consideration of the drawings and ensuing description.

[0031] An intermediate phase is foreseen in authorization and connectionsetup, between request and acceptance. In this intermediate phase, theclient application or the end-user are queried for more information ordecisions on certain aspects of the connection.

BRIEF DESCRIPTION OF THE DRAWINGS

[0032] The invention is illustrated in advance by the following figures,where

[0033]FIG. 1 is a flow diagram of authentication, authorization, andaccounting phases according to prior art.

[0034]FIG. 2 is a is a flow diagram of authentication, authorization,and accounting phases in the method according to the invention.

[0035]FIG. 3 and FIG. 4 are a collaboration diagrams of a network accesssystems according to the invention.

[0036]FIG. 5 and FIG. 6 showing network access systems according to theinvention.

DETAILED DESCRIPTION OF THE INVENTION

[0037]FIG. 1 shows a flow diagram comprising the phases of serviceselection P1, authentication P2, authorization P3, a decision phase P4whether to accept or reject, and an access phase P5. This is a part ofthe well known AAA procedure. A network access client selects a servicewithin the service selection phase P1. After the selection the networkaccess client is authenticated in the authentication phase P2. Theauthorization is checked within the authorization phase P3. Then adecision is performed within the decision phase P4 whether to accept therequest and allow access in the access phase P5 or to resume theprocess, for instance, at the authentication phase P2.

[0038] This procedure is enhanced illustratively shown in FIG. 2,showing a flow diagram with the phases described in FIG. 1 and anadditional negotiation phase P6. Within the service selection phase P1 anetwork access client request some service, e.g. a network connectionetc. After that the access client authenticates within theauthentication phase P2. Within the additional negotiation phase P6 thenetwork access client and a network access server negotiates aboutconditions or more precisely a model of prizing, capacity, efficiencyetc. The authorization phase P3 and the decision phase P4 as well as theaccess phase follow the negotiation phase P6. These three phases areperformed with respect to the negotiations done in the negotiation phaseP6; meaning all the phases depend on the negotiation results that aree.g. manifested within the business mode, and the business mode isderived from the business model is an entity controlling the behaviorwithin these phases. If the negotiation fails, the network access clientmight re-select a service. This is illustrated by the arrow from thenegotiation phase P6 to the service selection phase P1. Although forsimplicity reasons the phases are illustrated in a sequential order, thephases might overlap. For instance there might be while accessing are-authentication necessary for re-negotiation due to the change ofservice characteristics.

[0039] The interim negotiation phase P6 and its result is the basis fora bunch of network service access scenarios. Possible use-cases involvea parental control where a parent is asked permission (grant/deny) whenhis child wants to access the internet, or a parent can accept child'sconnection, but bandwidth is specified by parent at that time. Theparent is notified when child goes online etc.

[0040] Especially more specific request or user alert of specificconditions are enabled by the advanced interim negotiation phase. Theaccess server might ask for precise bandwidth the user wants or thevariance conditions he agrees. The access system might notify a user ora client of low network performance or of network outage using a suitedman machine interface.

[0041] The result of this enhanced connectivity request scenario is thatafter the intermediate phase the connection is granted, denied orgranted in a modified conditioned form. A concrete connection setupmight be allocated around the negotiation phase or at the end whenaccess is granted.

[0042] The shown collaboration diagrams in FIG. 3 and FIG. 4 comprisinga client object C and a server object S.

[0043] In FIG. 3 the client object C comprises an application AP, afirst session handler SH1, a business logic BL, and a first connectionhandler CH1. The server object S comprises a second session handler SH2and a second connection handler CH2, as well as a business logiccontroller BLC.

[0044] The objects interacts as follows: The client object and theserver object align or synchronize their business logic in order toenable a negotiation in a first interaction 1. When the applicationrequires a certain network resource, a second interaction 2 a connectionrequest is sent to the first session handler SH1. The session handlerrequest in a third interaction 3 said resource, and tradescollaboratively 4 about quality of service, information, prizing,restrictions, etc. using the business logic BL. Finally a contract isestablished 5. Then the first session handler raises a connection set uprequest 6 to the first connection handler CH1. The first connectionhandler CH1 sets up a connection 7 via informing at the server side thesecond connection setup handler CH2. At the server side the secondsession handler is informed about the connection setup 8.

[0045] Both session handlers SH1 and SH2 within this illustrativearchitecture are responsible to enforce the negotiated contract. Suchcontracts might comprise information policies or pricing as well asservice characteristics like maximal or guaranteed bandwidth as well asdynamic aspects like accounting or additional claims on e.g. quality ofservice.

[0046] The business logic BL might be realized by a set of businessobjects. A business object is an object that models a business concept,such as a person, place, event, or process. Such business objectsrepresent real world things such as accounts, services, persons,products, tariffs, invoices, or payments. Modern software productscomprising information systems that serve and adapt to their complexneeds. Applications like an authentication or an authorization designedfrom the ground up (and not hacked) using the business object model arebetter suited to meet the requirements of rapidly evolving businesses.

[0047] In FIG. 4 an alternative deployment of the business logic isshown. There the client object C does not comprise the business model.Instead for requesting, trading and contracting it has to contact theserver's business logic controller BLC. The remaining interactions arethe same as in FIG. 3.

[0048] When an application AP requires network services, i.e. intends toestablish a connection, a request is forwarded to or intercepted by aconnection controller comprising e.g. the first session handler SH1.This first session handler SH1 consults a business logic module BL orBLC, located on the user terminal or on the server in the network, thatenable to decide grant/deny the connection or to initiate anintermediate phase querying the user or his application for more info ora decision on some aspect(s) of the connection. After the preliminaryconnection accept, the request is send to e.g. an actual connectionprovider module, for example a PPP or DHCP driver.

[0049] In case the business logic module BLC is located on the server S,only, the connection set-up request is sent over the control channel(including the necessary data concerning originator, addressee, networkto be connected to, timestamp, etc.). In case the business logic moduleBC is located in the client C, a consultation of this localfunctionality is kept up-to-date e.g. by the server.

[0050] Preferably the consultation of the business rules take placebefore the connection set-up; And preferably the verification of theusername/password pairs (authentication) is often still done at thephase of connection set-up and is not necessarily included in thenegotiation phase, i.e. required by business rules in the business logicBL, BLC (although it certainly can be included).

[0051] The consultation and enforcement of flexible business rules canamong others be based on the following criteria: decision of requestoror third party on aspect of connection (QoS, security, . . . ),information specified by user or application during intermediate phase,alert of user and resulting user action, about the user's online credit,parental control, number of other users, high load or outage ofdestination network disclaimer or legal warning of network (for examplebanking network), etc.

[0052] A possible implementation of the invention involves a concretedevices and networks in the home realm and the local realm, as shown inFIG. 5 and FIG. 6.

[0053]FIG. 5 shows a terminal T comprising an application or anoperating system AP/OS and a business logic controller BC. The serverside, i.e. the local realm, comprises a trader TR and multiple networksNW1, NW 2. This trader can be a network access client device, say, whichmight be an foreign agent, a relay agent, a proxy, a AAA server or thelike.

[0054] There exists a communication channel between the connectioncontroller CC via the business controller BC in the home realm and thetrader TR in the local realm, that is used to allow flexible businesslogic to be enforced when a user requests to be connected to a network.

[0055] A network access client might be, either an separate accessdevice AD, shown in FIG. 6, or a terminal T, shown in FIG. 5 comprises aconnection controller CC that receives/intercepts all connectionrequests, sends them to a business logic (either on the terminal T or atthe trader TR) realized by the business controller BC. The trader TRcontains the business logic or a corresponding business logic controllerthat updates the business logic on the client, in case it is located onthe client.

[0056] A real example scenario might look like this. Using e.g. theAlcatel 5742 Personalized Service Selection client, John Smith wants toconnect to a banking virtual private network. He is presented a dialogbox warning him of new legal conditions of online banking. Only afterreading this message (and pressing accept), the actual connection is setup.

[0057] An alternative real example scenario might be using his Alcatel5742 Personalized Service Selection client, the son of John Smith wantsto access the internet. The business logic, that is consulted by theclient application before trying to connect, alerts John Smith and askhis approval. Mr. Smith decides to allow this connection but only at 512Kbps. When later on his son wants to access the school's virtual privatenetwork, of course a 1 Mbps connection is approved by the caring father.

[0058] The business logic controlling the intermediate phase can belocated on the user terminal, an advanced modem or a server in thenetwork. When it is located at the customer premises, an updatemechanism has to be in place. The connection controller can be on theuser terminal or on an advanced modem. When on the terminal, theconnection controller can be part of an application or a standaloneservice, a daemon, or an application running in the background.

[0059] The invention has several aspects, namely an intermediate phasebetween authentication and authorization, an intermediate phase betweenconnection request and connection accept/reject. An intermediatenegotiation can be initiated between business logic and the user or hisapplication. Another aspect is the use of flexible business rules thatcan be on a server, the client terminal (with an update mechanism fromthe server) or the modem (with an update mechanism from the server) anda (possibly permanent) communication channel between user/terminal andaccess controller as an enabler for enforcing flexible, server-sidecontrolled, business logic. This (possibly permanent) communicationchannel between user/terminal and access controller is an enabler for apolicy-framework compliant solution for connection setup andco-existence.

1. A method for controlling establishing a network connection between aclient and a network comprising the phases of authenticating,authorizing, and accounting, comprising a further interim negotiationphase of negotiating a connection or business mode of authorization andaccounting.
 2. The method according to claim 1, comprising further anadditional initialization phase synchronizing the underlying businessmodel.
 3. The method according to claim 1, providing a user interfacemeans for involving a user in the further interim negotiation phase. 4.The method according to claim 1, wherein the negotiating comprisesconnection policy-framework compliant solution.
 5. A network accesssystem comprising a network access client device connected to at leastone network via a network access trader device, said network accessclient device comprising a connection controller for controlling theaccess to said at least one network, characterized by further comprisinga business logic inference machine and memory for business logicspecifying business rules and connection behavior, said connectioncontroller uses the business logic for negotiating a connection orbusiness mode with a network access trading device of said at least onenetwork, and said network access trading device comprising a secondconnection controller for controlling the access to said at least onenetwork from said at least one network access client device, and asecond business logic inference machine and memory for business logicspecifying business rules and connection behavior, said connectioncontroller uses the business logic for negotiating a connection orbusiness mode with said at least one network access client device andfor authorization and accounting said connection.
 6. A network accessclient device connected to at least one network comprising a connectioncontroller for controlling the access to said at least one network,characterized by further comprising a business logic inference machineand memory for business logic specifying business rules and connectionbehavior, said connection controller using the business logic fornegotiating a connection or business mode with a network access tradingdevice of said at least one network.
 7. A network access trading deviceconnected to at least one network access client device, the networkaccess trading device comprising a connection controller for controllingthe access to said at least one network from said at least one networkaccess client device, further comprising a business logic inferencemachine and memory for business logic specifying business rules andconnection behavior, said connection controller using the business logicfor negotiating a connection or business mode with said at least onenetwork access client device and for authorization and accounting saidconnection.
 8. A network access trading device according to claim 7,wherein the network access trading device is a network access server. 9.A computer software product, characterized by comprising programmingmeans for performing the method according to claim 1.